On 02.11.2016 19:54, Stuart Henderson wrote:
On 2016-11-02, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
If the standard way works, I am happy to include the original patch I sent, amended so that it checks for presence of LIBRESSL_VERSION_NUMBER. If they keep this promise, then we should have no worries about things breaking up. Diff below is what I've added to OpenBSD ports.
The libressl API is not cast in stone, there's a possibility some functions from newer OpenSSL might be added - in fact we already have some like TLS_method. 0x20000000L was specifically chosen to not match up with anything OpenSSL had used because they aren't directly comparable.
In general I think the best approach would be for feature checks, e.g. in autoconf. (I wish there was some common m4 file shared between projects that people could use for this..) In the absence of this, it seems a better idea to check at the places where #ifdefs are done rather than override OPENSSL_VERSION_NUMBER locally.
I don't think carrying patches like this separately is all that good an idea - people may well compile things on their own and not know about the problem. If the build fails that's not so bad, but the silent miscompile we see here is pretty nasty.
Thank you for the patch.
My personal opinion is that it is also bit nasty to pretend to support some API/ABI but provide false version numbers.
https://wiki.openssl.org/index.php/1.1_API_Changes, this is what OpenSSL recommends to use for handling backwards compability with older versions. As you can see, it uses < test. Now you are claiming to be v2.0.0, which means that there is no reasonable way to use OPENSSL_VERSION to determine whether some particular feature is there or not.
Yes, we could test each function separately, but that would kinda beat the point of having a VERSION header in the first place, and also adds up for the ifdef hell by forcing us to check for each and every openssl function that has changed since 1.0.0 and use that particular ifdef.
It would've been, again in my opinion, to keep the VERSION in libressl to match with the API you are providing instead of choosing some abstract value that can will mess up with everyone's code. If you add features to your API from OpenSSL, you can update the version number to match with the API you provide.
Just my 0.02€.
Aki